AWS SSM parameters retrieval

Cortex XDR Analytics Alert Reference by Alert name

Product

Cortex XDR

Last date published

2026-02-02

Activation Period	14 Days
Training Period	30 Days
Test Period	N/A (single event)
Deduplication Period	5 Days
Required Data	Requires: AWS Audit Log
Detection Modules	Cloud
Detector Tags
ATT&CK Tactic	Credential Access (TA0006)
ATT&CK Technique	Credentials from Password Stores: Cloud Secrets Management Stores (T1555.006)
Severity	Informational

An attempt was made to retrieve parameters stored in AWS SSM.

Exfiltrate sensitive secrets stored in AWS SSM parameter store.

Investigate the purpose of the encrypted parameter and assess the sensitivity of its contents.
Check if the access aligns with known workflows or automation, or if it indicates abnormal activity.

ATT&CK Tactic	Credential Access (TA0006)
ATT&CK Technique	Credentials from Password Stores: Cloud Secrets Management Stores (T1555.006)
Severity	Informational

An attempt was made to retrieve encrypted parameters stored in AWS SSM.

Exfiltrate sensitive secrets stored in AWS SSM parameter store.

Investigate the purpose of the encrypted parameter and assess the sensitivity of its contents.
Check if the access aligns with known workflows or automation, or if it indicates abnormal activity.

ATT&CK Tactic	Credential Access (TA0006)
ATT&CK Technique	Credentials from Password Stores: Cloud Secrets Management Stores (T1555.006)
Severity	Informational

An attempt was made to retrieve parameters stored in AWS SSM.

Exfiltrate sensitive secrets stored in AWS SSM parameter store.

Investigate the purpose of the encrypted parameter and assess the sensitivity of its contents.
Check if the access aligns with known workflows or automation, or if it indicates abnormal activity.